Expect end-user cybersecurity

While automation hardware and software provide a tunnel for viruses or other malicious payloads, it's the end user who must remember to shut the door on cybersecurity

By Jeremy Pollard, CET

Aug 15, 2017

I was recently at a Rockwell Automation mobile trade show called, “On The Move” (RAOTM) in Toronto. There were sessions on relevant technologies, hands-on labs and vendor presentations. It was pretty impressive.

However, I generally found that there were booths without help, as well as a lack of “this is what we are displaying here” types of things.

Regardless, technology old and new were available to see, touch and feel. I felt like I was back in the good old days of trade shows where you run into people who you never see or talk to otherwise. I didn’t find the press room, which would be the meeting place for some of us types.

But I did run into some peeps I haven’t sat and talked to in years. It was awesome to see how I have actually aged in lock-step with my colleagues.

The biggest buzz word in industrial control circles is cybersecurity. While this topic is not a vendor-specific alarm bell, I was disappointed that cybersecurity and associated topics were really nowhere to be found at the RAOTM.

I remember talking to a Rockwell expert on cyber, and his comment to me was, “We rely on the user and their expertise to supply the security levels that they deem appropriate.” This is a paraphrase of his statement, but it fits in with the attitudes by vendors of automation.

“The premise is that vendors are selling you convenience and not taking any responsibility for any security at all, regardless of the products.”

I recently presented at the ISA Power Industry Division (POWID) symposium in Cleveland. My presentation was titled, “Design for Remote Access: or What the Heck Were You Thinking?” The premise is that vendors are selling you convenience and not taking any responsibility for any security at all, regardless of the products. Well, the subject was a hot potato at the symposium, and there were lots to say and to think about.

I had a long conversation with the global VP of sales and marketing, who just returned from China. He was frustrated with the fact that he had to jump through hoops just to read his email while on his laptop. His IT group had made the process very difficult to remote into their network in the United States. We talked about remote access, and, even in a sales capacity he understood how important security is, but why does it have to be so hard? His story is very similar to lots of people I talked with.

Remote access is only part of the cybersecurity issue. In speaking with Harry Tom, who is a group manager for the Federal Energy Regulatory Commission, cybersecurity is the real deal for critical infrastructure.

These guys are brought in to field operations offices to basically do an audit in a given environment and make suggestions on how to become more secure. He said to me that they never leave without making suggestions, which tells me that security is a big issue everywhere.

I was stopped in the hallway of the symposium and was told that remote access and security of ICS systems in critical infrastructure is a really hot topic.

I asked why. The response was that no one really knows how to do it, which is something Marty Edwards, when he was with the DHS, was lamenting to me during an interview. Most think that all is fine—air-gapped thinking.

The one thing that slays me is the appearance of security when using VPNs. The VPN may be secure with encryption and the like, but the endpoint lockdown is really where the action is.

Well, if it wasn’t such a hot topic, I guess I wouldn’t have been invited to present the same presentation at the ISA’s International Instrumentation Symposium in Houston. Cybersecurity is an issue.

So, having said that, one wonders about my earlier comment about how it is up to the user to secure his own landscape. In fact, I have a comment by a VPN hardware vendor who stated it is possible for a virus or other malicious payload to be transferred through the tunnel. The number of steps leading up to that point are preventable by the user.

So, again it is the user’s responsibility. Vendors will help to some extent maybe.

A Swedish system integrator (SI) was asked by many of its customers to use the VPN solution. The SI doesn’t want hardware on the networks. I asked if they were concerned about the endpoint’s being used to gain access to those networks. Silence.

I was disappointed that Rockwell Automation didn’t take a bigger stance on the cybersecurity platform. But I wonder if I should be since no one else does it either.

Am I expecting too much?

About the author

Jeremy Pollard, CET, has been writing about technology and software issues for many years. Pollard has been involved in control system programming and training for more than 25 years.